Share this story

Microsoft has plugged a hole in its Windows operating system that allowed attackers to use USB-connected drives to take full control of a targeted computer.

Microsoft said it classified the vulnerability as "important," a less severe rating than "critical," because exploits require physical access to the computer being attacked. While that requirement makes it hard for hacks to spread online, readers should bear in mind that the vulnerability in theory allows attackers to carpet bomb conferences or other gatherings with booby-trapped drives that when plugged in to a vulnerable computer infect it with malware. Such vulnerabilities also allow attackers to penetrate sensitive networks that aren't connected to the Internet, in much the way the Stuxnet worm that targeted Iran's nuclear program did.

"When you look at it in the sense of a targeted attack, it does make the vulnerability critical," Marc Maiffret, CTO of BeyondTrust, told Ars. "Because of things like Stuxnet raising awareness around the physical aspect of planting USB drives or having people to take these things into facilities, it does make it critical."

According to Microsoft, the MS13-027 series of vulnerabilities can be exploited when a maliciously formatted USB drive is inserted in to a computer. When Windows drivers read a specially manipulated descriptor, the system will execute attack code with the full permissions of the operating system kernel.

"Because the vulnerability is triggered during device enumeration, no user intervention is required," Microsoft Security Response Center researchers Josh Carlson and William Peteroy wrote in a blog post. "In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine."

Over the past few years, Microsoft has closed a variety of security holes related to USB hard drives. In addition to fixing the LNK file vulnerability that allowed Stuxnet to infect machines when a stick was plugged in, company engineers have also reworked the autorun feature that used to automatically open a window each time a removable drive was connected. Hackers had long abused the feature to display options that would say things like "open folder to view files" but install malware when clicked instead.

MS13-027 is one of seven bulletins Microsoft issued as part of this month's Patch Tuesday. (The company releases fixes on the second Tuesday of each month.) In all, the bulletins fixed 20 separate vulnerabilities in Internet Explorer, Silverlight, Visio Viewer, SharePoint, OneNote, and Outlook. While the USB patch isn't among the four bulletins rated critical, readers might consider it urgent nonetheless.